The libXt library is part of the X Windows system. There are several buffer overflow conditions that may allow an unauthorized user to gain root privileges through setuid and setgid programs that are linked to libXt. These problems were openly discussed on the Bugtraq mailing list in 1996, this discussion led the OpenGroup (maintainers of the X-Windowing System) to release a new version of X Windows which was more thoroughly audited and which hopefully addressed a series of buffer overflows.
A vulnerability has been discovered in the automounter daemon (automountd) that may allow an unauthorized user to send arbitrary commands to the automounter daemons. These commands given automounter's SUID root status are executed as root. This bug was origanally thought to be fixed by a Sun patch, however subsequent findings by a bugtraq poster discovered that the patch was insufficient. Moreover, it was initially thought that this bug was local only. Multiple parties later discovered the problem could be exploited remotely by leveraging the attack off a remote vulnerability in rpc.statd. In particular Solaris rpc.statd allows remote users to proxy RPC requests through itself so they appear to have come from the localhost.
A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent. Paul Ashton posted the theory and corresponding exploit code to NTBugtraq. In order for his code to work, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host.
The names and mappings of kernel objects in NT are cached in the 'object namespace'. In this area, DLL mappings are kept in a section called KnownDlls. By manipulating the namespace, it is possible to redirect calls to arbitrary dlls.
The File System Object (FSO) may be called from an Active Server Page (ASP) to display files that exist outside of the web server's root directory. An example of this syntax would be: http://www.server.foo/showfile.asp?file=../../global.asa. This vulnerability could be used to view the source code of ASP files or stream data into other ASP files on the web server.
A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access.
A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access. An attacker can exploit this vulnerability by executing a specially crafted program that contains a malicious code which can be used to gain root access.
Due to insufficient bounds checking on arguments supplied to ps, it is possible to overwrite the internal data space of the ps program. As ps is setuid root, this vulnerability may be exploited by users on a system to gain root access. The exploit code builds a buffer with shellcode and the address of the buffer, and then executes the exploit buffer.
A vulnerability exists in Microsoft Forms 2.0 TextBox ActiveX object which allows malicious web forms to access data from the Windows clipboard without the knowledge of the visiting end-user. This control is loaded when Visual Basic 5.0, Project 98, Outlook 98, or Office 97 is installed on the host. An attacker can exploit this vulnerability by using a malicious web form with a TextBox ActiveX object and a function to paste the clipboard data into the text box.
A vulnerability exists in the ioconfig program, as shipping with IRIX 6.4 S2MP from Silicon Graphics, Inc. This program is only available on Irix 6.4 for the Origin/Onyx2. Other machines running IRIX are not vulnerable. This vulnerability will allow a local user to obtain root priveledges. The ioconfig program will make calls to the system() call without setting the path to be used; this allows an attacker to alter their path to cause ioconfig to execute arbitrary programs.
Services By CQR